The Domain Name System Security Extensions (DNSSEC) is a suite of Internet Engineering Task Force (IETF) specifications for securing certain kinds of information provided by the Domain Name System (DNS) as used on Internet Protocol (IP) networks. It is a set of extensions to DNS which provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity, but not availability or confidentiality.

Install a DNSSEC-aware validating recursive server

To use DNSSEC system-wide, you can use a validating recursive resolver that is DNSSEC-aware, so that all DNS lookups go through the recursive resolver. BIND and unbound are two options that you can setup. Note that each requires specific options to enable their DNSSEC validation feature.

If you attempt to visit a site with a bogus (spoofed) IP address, the validing resolver (i.e., BIND or unbound) will prevent you from receiving the invalid DNS data and your browser (or other application) will be told there is no such host. Since all DNS lookups go through the validing resolver, you do not need software that has DNSSEC support built-in when using this option.

Enable DNSSEC in specific software

If not you choose not to #Install a DNSSEC-aware validating recursive server, you need to use software that has DNSSEC support builtin in order to use its features. Often this means you must patch the software yourself. A list of several patched applications if found here. Additionally some web browsers have extensions or add-ons that can be installed to implement DNSSEC without patching the program.

DNSSEC Hardware

You can check if your router, modem, AP, etc. supports DNSSEC (many different features) using dnssec-tester (Python and GTK+ based app) to know if it is DNSSEC-compatible, and using this tool you can also upload gathered data to a server, so other users and manufacturers can be informed about compatibility of their devices and eventualy fix the firmware (they will be probably urged to do so). (Before running dnssec-tester please make sure, that you do not have any other nameservers in /etc/resolv.conf). You can also find the results of performed tests on the dnssec-tester website.